Most Brex APIs require a Brex admin to grant access. In these cases, only users with the account admin role can be authenticated.
Additionally:
Bookkeepers may access the accounting API.
Partners using the onboarding API authenticate with a Client Credentials Grant–there is no user associated with this API access.
Scopes
Scopes define which endpoints your app has access to. You will specify your scopes when generating your user token.
For more information on how scopes work in general, see the OAuth website.
Scopes are additive
As a general security practice, you should request the minimum set of scopes required for whatever action the user is performing. For instance, if you are building a simple app that lists all of a company's cards, you should request the cards.readonly scopes. Since you are not modifying any data, you only need the readonly version of the cards scope.
If you later want to add new functionality that requires fetching user information, or make updates to cards, you can request those scopes (users, cards) which will send the user through the authentication flow again and add those scopes to their previously consented scopes.
User scopes
At the beginning of each API reference, there is a list of the scopes required for that given API. They are also listed here for convenience.
Authentication
These 2 scopes are included automatically in user tokens.